An organization typically will employ a variety of defensive mechanisms to mitigate the risk of computer network attacks. Despite taking such precautions, an organization nevertheless may fall victim to a successful attack that breaches its computer network. There are many ways for an attacker to get a foothold into the computer network of an organization such as by enticing a user to click a malicious link in a phishing e-mail message or by exploiting known or unpatched vulnerabilities. When such tactics are successful, an attacker may obtain the ability to run malicious code and compromise the computer network of the organization.
Upon compromising an initial computer of the organization, the attacker may use credentials stolen from the initial compromised computer to access and compromise other machines within the computer network. In general, the goal of the attacker is to locate credentials having elevated permissions that allow access to high-value machines such as infrastructure servers and domain controllers. An attacker that successfully obtains domain administrator credentials could compromise all computers within a domain of the organization as well as external domains that trust the organization
If the stolen credentials from the initial compromised computer do not have elevated permissions, the attacker typically will initiate lateral movement to other connected computers that can be accessed and searched for additional credentials. In general, the attacker may use local administrator account credentials stolen from the initial compromised computer to access and compromise other computers on the same network tier. The attacker may continue lateral movement and breaching computers within the same network tier until locating credentials that allow privilege escalation and deeper network traversal. Upon locating credentials having elevated permissions, the attacker then progresses to the next network tier and again performs lateral movement in search of higher privileges.
If lateral movement is not detected, a local compromise may spread and become a global intrusion. As such, it is important to be able to detect the lateral movement of an attacker as soon as possible so that the scope of a breach can be determined and appropriate containment and remediation can be performed.